Json Web Token identity authentication

User authentication generally has 5 ways

• HTTP Basic Authentication
  When sending a request in the HTTP header authentication field, will use the Base64 encoded user name and password as a value, each time the request is sent to send a user name and password, the implementation is relatively simple.

• Cookies
  Send the user name and password to the background, after the user name and password through authentication, save the returned Cookie as the user has logged on the credentials, each request with thisCookie

• Signatures
  The user gets the private key to the server, encrypts the entire request using the private key before sending the request, and sends a string of encrypted information that is only applicable to the API

• One-time passwords
  One secret at a time, each login with a different password, generally by the service side through the mail password to the user, this way of logging is more cumbersome

• JSON Web Token
  The user sends the service side as agreedHeader、PayloadAndSignature, and contains the authentication information (password), verify that the server returns atoken, the user then uses thetokenAs login credentials, suitable for mobile and API

Because of the separation of the front and back, most of the background now only provides data parts, generally use json format, so json Web Token is a popular authentication method.

JWT 's authentication method has some advantages over other authentication methods:

• Information can be encrypted with HMAC or RSA, and information security is high

• Generated ciphertext short, ciphertext can contain all user information, authentication expiration time or user rights and other custom information

• Identity authentication for mobile apps and single-page apps

• Use flexible, once made JWT , can be sent via post or add in HTTP header

JWT structure

JWTConsists of 3 parts

• Header (head)

• Payload (load)

• Signature (signature)

The load part is the specific authentication information, by modifying this part of the content to control authentication information, such as user rights. In addition to some reserved fieldsexp(Expiry time),aud、issUse the same method as normal JSON.

Signature

Signature, which is the key, is used to guarantee the security of ciphertext.

The above 3 parts have been treated with Base64url .Separating and re-usingHMAC SHA256OrRSAEncrypt to a string

JWT usage Process

650) this.width=650; "src=" Http://linhsblog-10013469.image.myqcloud.com/images/jwt-diagram.png "alt=" JWT diagram " style= "border:0px None;margin:auto;padding:0px;font-weight:inherit;font-style:inherit;font-family:inherit; Vertical-align:baseline;height:auto; "/>JWT diagram

Client post user name and password to the server, if the security requirements are high can be encrypted user name or password, the server will get the user name and password and the database in the comparison, if the same is generated according to the above processJWT, and then return to the client. After this, all requests from the client can be included in the authorization HTTP header or post data.JWT。 Server-side validationJWTand resolves the payload part, in order to determine the user's permissions.

JWTIs easy to use, take node. JS's Packagenode-jsonwebtokenTwo functions for encryption and authenticationjwt.sign，jwt.verifyAnd Jwt.io is available in many languages.JWTPackage.

Json Web Token identity authentication